PT0-001 Question #167: Real Exam Question with Answer & Explanation

The correct answer is A: ''&CMD_cat /etc/passwd--&id-34''. LFI with log poisoning allows arbitrary PHP execution by injecting code into server logs and including those logs, then passing OS commands via GET parameters.

Question

A web server is running PHP, and a penetration tester is using LFI to execute commands by passing parameters through the URL. This is possible because server logs were poisoned to execute the PHP system ( ) function. Which of the following would retrieve the contents of the passwd file?

Options

A''&CMD_cat /etc/passwd--&id-34''
B''&CMD=cat / etc/passwd%&id= 34''
C''&CMD=cat ../../../../etc/passwd7id=34'
D''&system(CMD) ''cat /etc/passed&id=34''

Explanation

LFI with log poisoning allows arbitrary PHP execution by injecting code into server logs and including those logs, then passing OS commands via GET parameters.

Common mistakes.

B. The space in '/ etc/passwd' between the slash and 'etc' is invalid path syntax and would cause the shell command to fail.
C. Path traversal sequences like '../../../../' are unnecessary when calling an absolute path via system(), and '7id=34' is a malformed parameter separator that breaks the query string.
D. The word 'passed' is a typo for 'passwd', meaning the command targets a non-existent file, and the syntax does not correctly pass a GET parameter to the PHP system() function.

Concept tested. LFI log poisoning with PHP system() command execution

Reference. https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion

Community Discussion

No community discussion yet for this question.

Full PT0-001 Practice